Transcription
ForeScout App for IBM QRadar How-to GuideVersion 2.0.1
ForeScout App for IBM QRadar Table of ContentsAbout IBM QRadar Integration . 3Use Cases .Visualization of CounterACT Endpoint Compliance Status & Connectivity.Agent Health and Compliance for Windows .Generate IBM QRadar Offense to Drive CounterACT Action .Right-click to Trigger CounterACT Action .Connecting Appliance Option added to Configuration Setup .333344Additional QRadar Documentation . 4About This Module . 4Requirements . 5QRadar Requirements . 5CounterACT Requirements . 5Networking and Communication Protocol Requirements . 5What to Do . 5Install the Module . 5Download App Files . 6Install and Configure the ForeScout App for QRadar . 6New Features . 7QRadar Action on Offense by Credibility and Severity . 7QRadar Action on Offense by Description . 8QRadar Send SIEM Update . 9QRadar WinCollect Agent Compliance . 9Integrate the ForeScout Functionalities into IBM QRadar. 9View Widget Details . 11Customize the Display of the Dashboard . 12Display Inventory Data . 12Running Action Items . 13Additional CounterACT Documentation . 15Documentation Portal . 15Customer Support Portal . 15CounterACT Console Online Help Tools . 16Version 2.0.12
ForeScout App for IBM QRadar About IBM QRadar IntegrationCounterACT integrates with IBM QRadar SIEM servers to provide complete visibilityof network endpoints, including unmanaged endpoints. QRadar integration lets yousend policy status and selected host information from CounterACT to QRadar SIEMservers and trigger CounterACT actions based on SIEM messages.Use CasesThis section describes important use cases supported by this module.§Visualization of CounterACT Endpoint Compliance Status & Connectivity§Agent Health and Compliance for Windows§Generate IBM QRadar Offense to Drive CounterACT Action§Right-click to Trigger CounterACT Action§Connecting Appliance Option added to Configuration SetupVisualization of CounterACT Endpoint Compliance Status &ConnectivityAn IBM QRadar security administrator can monitor the current security posture onthe IBM QRadar dashboard as per the configurations of different security solutionsdeployed. The security administrator can add CounterACT widgets to the dashboard.These widgets cover the following visualization scenarios:§Endpoint compliance status summaries§Registered corporate users vs. guests§Device types in the network§Patterns of network access over timeFor more information, see Integrate the ForeScout Functionalities into IBM QRadar.Agent Health and Compliance for WindowsAn IBM QRadar security administrator can ensure that the IBM QRadar WinCollectagent is installed and functioning properly on Windows endpoints within the network.An IBM QRadar WinCollect agent is a Windows Log Collection Agent, a stand-aloneWindows application that is installed on both the IBM QRadar machine and theWindows host to allow IBM QRadar to collect Windows-based events. FOr moreinformation, see QRadar WinCollect Agent Compliance.Generate IBM QRadar Offense to Drive CounterACT ActionAn organization uses a network firewall to detect targeted Denial of Service (DOS)attacks on their web applications. The same organization also has IBM QRadar SIEMto collect and aggregate logs from CounterACT, firewall, and web applications. WhenIBM QRadar detects a targeted DOS attack via firewall log correlation, an Offense isVersion 2.0.13
ForeScout App for IBM QRadar generated. The security administrator would then have the source of the attackautomatically blocked by the firewall to prevent further disruption of service to theapplication(s) on the network.Right-click to Trigger CounterACT ActionYou can right-click on any IP address/MAC field to send action type to CounterACT.CounterACT sets properties and triggers policies to take action. For moreinformation, see Running Action Items.Connecting Appliance Option added to Configuration SetupWhen adding a QRadar SIEM server, the operator can select the CounterACTappliance to communicate between the IBM QRadar SIEM server and the assignedCounterACT devices. For more information, refer to the ForeScout Extended Modulefor IBM QRadar Configuration Guide.Additional QRadar DocumentationRefer to online documentation for more information about the IBM QRadar r/SS42VS 7.2.8/com.ibm.qradar.doc/qradar IC welcome.htmlAbout This ModuleCounterACT integrates with IBM QRadar SIEM servers to provide complete visibilityof network endpoints, including unmanaged endpoints. QRadar integration lets yousend policy status and selected host information from CounterACT to QRadar SIEMservers and trigger CounterACT actions based on SIEM messages.The QRadar Module works with the ForeScout App for QRadar to integrateCounterACT and QRadar so that you can:§Use policies and actions provided by the QRadar Module to regularly pushendpoint data to QRadar. See QRadar Send SIEM Update.§View CounterACT data in a dedicated, customizable QRadar dashboard.See View Widget Details.§Define CounterACT policies that respond to QRadar offenses.§Configure QRadar to send offenses to CounterACT based on customOffence. Offences can combine data from multiple sources.The ForeScout App for IBM QRadar and the ForeScout Extended Module for QRadarwork together to support communications between CounterACT and QRadar. Youmust install and configure both components to work with the features described inthis document. For example, CounterACT policies and actions provided by theQRadar Module are used to populate QRadar with CounterACT data. Read thisdocument together with the ForeScout Extended Module for IBM QRadarConfiguration Guide.Version 2.0.14
ForeScout App for IBM QRadar RequirementsThis section describes all the requirements for the QRadar 2.0.0 release.QRadar RequirementsThis release supports IBM QRadar version 7.2.8 and above. Uninstalling the previousversion of this App is not required.CounterACT RequirementsThe ForeScout App for QRadar interacts with an Enterprise Manager running 7.0.0and above. The following components must be installed:§Service Pack 2.3.2 and above§ForeScout Extended Module for QRadar version 2.0.0§Syslog Plugin 3.1.4 and aboveNetworking and Communication ProtocolRequirementsVerify connectivity between CounterACT and targeted QRadar servers on theconfigured TCP or UDP port. The default port is 514.What to DoPerform the following to carry out the integration:§Verify that requirements are met. See Requirements for details.§Download and install the ForeScout Extended Module for IBM QRadar. SeeInstall the Module for details.§Define target IBM QRadar SIEM servers, and assign CounterACT devicesto them. See the ForeScout Extended Module for IBM QRadarConfiguration Guide.Install the ModuleThis section describes the installation and configuration for the ForeScout App forQRadar.Perform the following steps to work with the dashboard. For steps performed in theCounterACT Console, refer to the ForeScout Extended Module for IBM QRadarConfiguration Guide.Version 2.0.15
ForeScout App for IBM QRadar 1. Review the ForeScout Extended Module for IBM QRadar Configuration Guideand this How-to Guide.2. Download App Files3. Install and Configure the ForeScout App for QRadar.Download App FilesThe ForeScout App for QRadar consists of the following components:ForeScoutCounterACTAppforIBMQRadar 2.0.0.zipYou will need to install these components onto your QRadar server. Download thesecomponents to a location that can be accessed during installation.Install and Configure the ForeScout App forQRadar2 If a Beta version of this release is installed in your environment, uninstall theBeta release before you install this release.To install and configure the module:1. Log into IBM QRadar as an Admin user.2. In the QRadar Dashboard, select the Admin tab.3. Select Log Source Extensions.4. Browse to the ForeScout files and .Version 2.0.16
ForeScout App for IBM QRadar 5. To complete installation, you are prompted to Deploy Changes. In theAdmin tab, the ForeScout icon appears in the Plugins section.No further configuration is required.New FeaturesFour new policy templates have been added to allow communication about Offensesbetween CounterACT and QRadar. These default policies are in place for you to useas a starting point for creating multiple policies that respond to QRadar Offenses.QRadar Action on Offense by Credibility andSeverityKeeping track of the credibility and severity of an Offense is important. Any High orMedium levels indicate a possible failure of Compliance. A “QRadar Action on Offenseby Credibility and Severity” policy is created in CounterACT so that, depending uponthe severity and credibility level of the Offense, action is taken.To view the credibility and severity of an Offense:1. In the QRadar Console, select the Offenses tab.2. In the left pane, select All Offenses. The full list of offenses display.Version 2.0.17
ForeScout App for IBM QRadar 3. Double-click on an offense. The Offense detail page opens. The Relevance,Severity and Credibility values are listed in the right corner.Sub-rules include default action to be taken on:§High Credibility and (High) Severity events – By default the last offensecredibility is set to 8, 9, and 10.§Medium Credibility and (Medium) Severity events - By default the lastoffense credibility is set to 4, 5, 6, and 7.§Low Credibility and (Low) Severity events - By default the last offensecredibility is set to 1, 2, and 3.QRadar Action on Offense by DescriptionWhen CounterACT receives an Offense from QRadar, sub-rules of the “QRadar Actionon Offense by Description” policy will apply specific action.To view the offense type based on the description field:1. In the QRadar Console, select the Offenses tab.2. In the left pane, select All Offenses. The full list of offenses display.3. Using a default Offense as an example, double-click on an offense thatcontains the words “Honeypot” in the Description field. The Offense detailpage opens.ForeScout App for QRadar supports the following Offense rules:Version 2.0.1§Access to Honeypot Defined Address§Attack followed by Attack Response§Device Stopped Sending Events§Excessive Firewall Denies§Local Flood (TCP)§SSH Server Scanner§New Host Discovered8
ForeScout App for IBM QRadar Refer to the IBM QRadar User Guide for more nter/SS42VS 7.2.8/com.ibm.qradar.doc/qradar IC welcome.htmlQRadar Send SIEM UpdateWhen QRadar sends an hourly update to CounterACT, the widgets automaticallyupdate to display the information in the Dashboard.QRadar WinCollect Agent ComplianceA CounterACT policy detects Windows endpoints on both the IBM QRadar machineand the Windows host to allow IBM QRadar to collect Windows-based events. Forexample, if the policy detects that an endpoint is not in compliance, it will direct theuser of the endpoint to a URL to install the QRadar WinCollect Agent. It isrecommended that the URL be available from outside the corporate network toensure that the user can access the QRadar agent installer.Integrate the ForeScout Functionalities intoIBM QRadarNow that you have established communication between the ForeScout ExtendedModule for IBM QRadar and the IBM QRadar SIEM server, you can work withForeScout functionalities in the IBM QRadar Dashboard.Version 2.0.19
ForeScout App for IBM QRadar To import widgets into the QRadar Dashboard:1. Follow steps in the ForeScout Extended Module for IBM QRadar ConfigurationGuide to deploy the app to the QRadar console.2. Open the QRadar console in a browser (recommend using Google Chrome )and go to the QRadar Web Console. See QRadar support for additional URLinformation.3. In the QRadar console, select the Dashboard tab.4. Select Add Item.5. Select ForeScout and then select Compliance Status Summary.ComplianceStatus SummaryThe number of endpoints that have or have not fulfilledorganizational requirements for compliance policies. Forexample, the number of endpoints that have or have notinstalled prohibited applications such as instant messaging orpeer-to-peer applications.DeviceClassificationIndicates the percentage of all the different types of devicesthat are connected to the network. Example: Windows, Mac,Android, Unknown.Host ConnectionStatusThe number of endpoints that are currently connected to yournetwork.Corporate/GuestStatusThe number of endpoints in your organization not consideredpart of the corporate network, for example, personal laptopsused by outside contractors. CounterACT may have detectedthese endpoints when they did not properly authenticate withthe network.CounterACTDashboardYou can have multiple CounterACT Dashboards.1. Select the IP address in the ForeScout CounterACT field andthen select Open. The CounterACT login opens.2. Log in. The CounterACT Dashboard opens. The widgetdisplays on the Dashboard as a pie chart.6. The widget is added to your dashboard.Version 2.0.110
ForeScout App for IBM QRadar 7. Repeat steps 1 -6 to add additional widgets to the QRadar Dashboard.View Widget DetailsEach widget watches IP addresses related to their subject matter. You can drill-downinto each widget to get detailed information:1. Within a widget, select the View Detail link. The Details page opens.2. In the Time Range field, select the time slot for which you want to viewmore details then select Update. The information displays as a pie chart.Version 2.0.111
ForeScout App for IBM QRadar Customize the Display of the DashboardYou can re-order the widgets on the Dashboard using the drag-and-drop method.Simply drag the grey bar of the widget frame to the desired location.Display Inventory DataUse the CounterACT Inventory to view a real-time display of threats detected by IBMQRadar. The inventory lets you:§Broaden your view of the organizational network from device-specific toactivity-specific.§View endpoint information reported by the IBM QRadar Offences andDisposition Triggers.§View endpoints that have been detected with specific Offences.§Easily track IBM QRadar Offence detection activity.§Incorporate inventory detections into policies.To access the inventory:1. In the CounterACT Console, select the Inventory icon from the Consoletoolbar.2. Navigate to the IBM QRadar folder. The list of QRadar offenses display.Version 2.0.112
ForeScout App for IBM QRadar Running Action ItemsTo Trigger a CounterACT action item:1. In QRadar, go to Log Activity tab.2. Right-click on an IP address that is managed by CounterACT and selectRequest CounterACT Alert Disposition from the menu.3. The ForeScout Policy Disposition pane displays.Version 2.0.113
ForeScout App for IBM QRadar 4. The CounterACT Enterprise Manager address is populated into the ForeScoutCounterACT field. Select an Action from the drop-down menu. For the actionselected, CounterACT send an alert to QRadar saying “this IP address needsto have a Null/Notify/Remediate/ Quarantine / Other action done to it.”5. Select Submit.6. In the CounterACT Policy Manager, select Apply.7. In the Action column of the Policy Manager, hovering over the HTTPNotification icon displays a list of all the parameters for that sub-rule.An optional Send Updates to QRadar SIEM Server action is enabled foreach sub-rule. For more information, see QRadar Send SIEM Update.Version 2.0.114
ForeScout App for IBM QRadar Additional CounterACT DocumentationFor more detailed information about the CounterACT features described here oradditional CounterACT features and modules, refer to the following resources:§Documentation Portal§Customer Support Portal§CounterACT Console Online Help ToolsDocumentation PortalThe ForeScout Documentation Portal is a Web-based library containing informationabout CounterACT tools, features, functionality and integrations.To access the Documentation Portal:1. Go to www.forescout.com/docportal.2. Use your customer support credentials to log in.3. Select the CounterACT version you want to discover.Customer Support PortalThe Customer Support Portal provides links to CounterACT version releases, servicepacks, plugins and modules as well as related documentation. The portal alsoprovides a variety of How-to Guides, Installation Guides and more. To access theCustomer Support Portal, go to:To access the Customer Support Portal:1. Go to l counteract.2. Select the CounterACT version you want to discover.Version 2.0.115
ForeScout App for IBM QRadar CounterACT Console Online Help ToolsAccess information directly from the CounterACT Console.Console Help ButtonsUse context sensitive Help buttons to quickly access information about the tasks andtopics you are working with.Console User ManualSelect CounterACT Help from the Help menu.Plugin Help Files1. After the plugin is installed, select Options from the Tools menu and thenselect Plugins.2. Select the plugin and then select Help.Documentation PortalSelect Documentation Portal from the Help menu.Version 2.0.116
ForeScout App for IBM QRadar Legal NoticeCopyright ForeScout Technologies, Inc. 2000-2017. All rights reserved. The copyright andproprietary rights in this document belong to ForeScout Technologies, Inc. ("ForeScout"). It isstrictly forbidden to copy, duplicate, sell, lend or otherwise use this document in any way,shape or form without the prior written consent of ForeScout. All other trademarks used in thisdocument are the property of their respective owners.These products are based on software developed by ForeScout. The products described in thisdocument may be protected by one or more of the following U.S. patents: #6,363,489,#8,254,286, #8,590,004, #8,639,800 and #9,027,079 and may be protected by other U.S.patents and foreign patents.Redistribution and use in source and binary forms are permitted, provided that the abovecopyright notice and this paragraph are duplicated in all such forms and that anydocumentation, advertising materials and other materials related to such distribution and useacknowledge that the software was developed by ForeScout.Unless there is another valid written agreement executed by you and ForeScout that governsthe ForeScout products and services:§If you have purchased any ForeScout products or services, your use of such productsor services is subject to your acceptance of the terms set forth athttp://www.forescout.com/eula/;§If you have purchased any ForeScout support service (“ActiveCare”), your use ofActiveCare is subject to your acceptance of the terms set forth and-support-policy/;§If you are evaluating ForeScout’s products, your evaluation is subject to youracceptance of the applicable terms set forth below:-If you have requested a General Availability Product, the terms applicable to youruse of such product are set forth at: http://www.forescout.com/evaluationlicense/.-If you have requested a Beta Product, the terms applicable to your use of suchproduct are set forth at: http://www.forescout.com/beta-test-agreement/.-If you have purchased any ForeScout Not For Resale licenses, such license issubject to your acceptance of the terms set forth athttp://www.forescout.com/nfr-license/.Send comments and questions about this document to: documentation@forescout.com2017-11-02 11:49Version 2.0.117
ForeScout App for IBM QRadar Version 2.0.1 6 1. Review the ForeScout Extended Module for IBM QRadar Configuration Guide and this How-to Guide. 2. Download App Fil
